Technical Risk Analysis (20 marks)
You have been hired by a small IT company to analyse the technology environment and conduct a technical risk analysis. You are to prepare a management report applying everything you learnt in the subject. The report should include at a minimum:
- An Executive Summary at the beginning of the report which provides a clear statement of the technology project that is being assessed, and an overview of your recommendations to management as to the merits of the project based on your risk assessment.
- A risk assessment based on assets, threats, vulnerabilities and consequences derived from an IT control framework and any existing industry risk recommendations for the project. Identify and discuss the key threats. What could be done to mitigate the risks and their impact on the organisation?
- Provide a brief summary of the protection mechanisms you would employ whether they be people, culture or technology.
- Identify any gaps which you believe require further analysis and offer a rationale as to why.
Your report should be no more than 6 pages.
Organisational Details.
The organization in question is small software house. The software house is working on innovative software, which it plans to sell in the near future. Most code and documentation is stored on servers, which are publicly accessible via the Internet. The organization has a considerable investment in this data (for corporate purposes), hence its integrity and confidentially is important.
The organization has a number of staff that are responsible for the management of the server infrastructure, however administration is somewhat lacked with many people across the organization knowing administrative passwords. At present there isn’t a full time administrator – the administration of services and systems seems to be the role of several developers who know ‘some stuff’. Employees of the organization currently enjoy free, open, unrestricted access to the Internet but realistically they only need to browse certain websites on the Internet. The management would like there to be a system in place to minimise the cost of accessing web resources.
The organization consists of the following departments:
- Research and Development (56 people)
- Management (4 people)
- Human Resources & Legal (5 people)
- Finance (3 person)
There are no formal onboarding and offboarding processes in the organisation. There is close to no policy framework in the organisation.
Infrastructure.
The organization uses a number of servers to perform its core business. The servers are not very busy. In total there are six servers. These servers include a CIFS (Windows File Sharing) Server (running on a Windows NT server), Windows Active Directory Server (running on a Windows NT server), Apache Web Server (running on Mac OS X machine), Development Server (typically accessed using telnet and ftp) (running on Linux), Exchange Server (running on a Windows NT Server) and Oracle Server (running on a Solaris – Sun machine). Each of these servers are, independent machines with vanilla installs of the operating system. The servers are not running the latest operating systems nor have they been patched. These machines have publicly accessible addresses and hence can be access from the Internet.
The servers are commodity x86 boxes or servers that have been acquired through various means i.e. the Sparc Station was purchased from Ebay by some employee’s who wanted to learn Solaris and the Mac, well it was purchased because there is a Mac head in the organization who really loves Mac’s.
There is no maintenance on either the hardware or software. Some of the servers are over five years old e.g. the Sparc Station.
Services and Data.
The servers store the following;
- Home directories,
- Mail,
- Database objects for various development and production environments (for various departments),
- Active Directory Meta Data Object,
- Project Build and Information Directories,
- Code Versioning System (CVS) Data/ Directories,
- Corporate Finance and Personnel Data,
- Web Page Data.
- Customer and Market Intelligence.
- Other forms of Intellectual Property
This data is stored on disks in a number of different boxes. For example the Mail Exchange server stores mail on a internal disk. Where as the Oracle Databases are kept on the oracle servers using a number of disks. The Oracle server also plays home to most of the corporate data. Project Build and CVS data are kept on the development server, which web pages are kept on the web server.
Most services are only used within the organization, however the organization does have a internet presence via its web page and mail server. Despite this some developers work from home in the evenings and access some services e.g. CVS from there home workstation. You can assume there is no redundancy/ fail over in the disks hence if a disk goes bad, that data is lost and the service associated with it fails.
The most important data is the organizations data (mail, web and corporate finance/ personnel data), project builds and CVS information. The integrity of this data must always be preserved. In terms of services the most important service are the web page, email service and CVS infrastructure.
Administration.
Most of the staff in the organization knows the root/ administration passwords to the servers. Most of the administration of the hosts is done via the network using tools such as telnet and rsh. It should be noted that all users have accounts on every server regardless of if they are admin’s.
The administrators do a bad job of administering these machines, as disks are often filling up and there are lots of active but unused accounts (because people leave the organization). The organization depends on the services offered by its servers so very much for its business but there is nothing in place to monitor them. System administration here is basically fire fighting.
External hackers have compromised some desktop machines in the past. The administrators are reasonably confidant that the servers have no been compromised yet (this is probably sheer luck but they are unsure about this). That said when a host is compromised; the administrators merely disable the hack and continue to allow the machine to be used. Most compromises are noticed too late i.e. well after they have been done.
Security.
The organization does not have a firewall or any other security system in place. Currently all services offered by the servers are accessible via the Internet. There is no email/ virus protection in this organization.
Backup and Disaster Recovery.
The organization does not have any backup or disaster recovery systems/ procedures.
Network and Physical Location.
The servers and core network infrastructure are located in common workspace as other infrastructure and employee’s of the organisation. In addition to this the servers are on the same networks as user workstations and there is no network security. The organization is connected to the Internet via a ADSL modem connected to a router. The router connects to a several 10mb hubs, which provide access to the staff (there is only one LAN).
Individual Workstations & Passwords.
Each employee has a desktop computer. Most of the computers are running a vanilla install of a Windows like operating system that has not been patched since install. Employees keep corporate data on these hosts in their home directory, which is not backed up.
In addition to this everyone has administrator privileges to their workstation. As the environment is relaxed, a user can have accounts on other employee computers possibly using the same or different password.
The organization has no hard and fast rules about passwords; infact the most common password used is the person’s name. These passwords are also indicative of what is used on the server machines.